WebApp Sec mailing list archives
RE: How can i protect against session hijacking?
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Sat, 28 Mar 2009 10:53:17 -0000
If an attacker gets hold of the end users cookies (through XSS and so forth), how can you actually prevent session hijacking?
The short answer is that you can't (and most of the things you can try to compensate with wont work, but will break something else, or impact on the user experience); as soon as you have lost the session ID, then you have lost the session ID. Focus your efforts on not losing the session ID. Just my 2p. :) Martin...
Current thread:
- How can i protect against session hijacking? Tommy (Mar 27)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- Re: How can i protect against session hijacking? Robin Wood (Mar 30)
- RE: How can i protect against session hijacking? Debasis Mohanty (Mar 31)
- <Possible follow-ups>
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 28)
- RE: How can i protect against session hijacking? Brian Shura (Mar 28)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 30)
- RE: How can i protect against session hijacking? Martin O'Neal (Mar 30)
- Re: How can i protect against session hijacking? Marco M. Morana (Mar 28)